1. DATA PROTECTION LAW IS COMING TO ASIA
Professor Abu Bakar Munir
Faculty of Law, University of Malaya
Adviser to the Malaysian Government
(2007-2010)
INDONESIA INFORMATION SECURITY FORUM 2011
14 December 2011
Bandung, Indonesia
#IISF2011 1
4. Concept of Privacy
Definition
Privacy is our right to keep a domain around us,
which includes all those things that are part of us,
such as our body, home, thoughts, feelings,
secrets and identity. The right to privacy gives us
the ability to choose which parts in this domain
can be accessed by others, and to control the
extent, manner and timing of the use of those
parts we choose to disclose.
#IISF2011 4
5. Types of Privacy
The right to be left alone
Bodily privacy
Privacy of communications
Territorial privacy
Informational privacy
#IISF2011 5
6. Privacy as Human Rights
Article 12 Universal Declaration on Human Rights 1948
No one shall be subjected to arbitrary interference with his privacy,
family, home or correspondence, nor to attacks upon his honour and
reputation. Everyone has the right to the protection of the law against
such interference or attacks.
Some Other Instruments
Article 17, International Covenant on Civil and Political Rights 1966
Article 16, Conventions on the Rights of the Child 1989
Article 8, Convention for the Protection of Human Rights and
Fundamental Freedoms 1950
Article 18, OIC Cairo Declaration on Human Rights in Islam 1990
Article 4.3, Declaration of Principles on Freedom of Expression in Africa
2002
Article 5, American Declaration of the Rights and Duties of Man
#IISF2011 6
7. Informational Privacy
The rights of an individual to have
control over his personal information
Informational Privacy = Personal
Data Protection
#IISF2011 7
8. Why countries protect personal data?
International obligation
Competitiveness
Human right
International influence
#IISF2011 8
9. Why Protect Personal Data?
What Customers Say…
Nearly 90% of online consumers want the right to control
how their personal information is used after it is collected
(Forrester Research 2003)
87 % of Americans are concern about the security of their
information on the Internet
(Zogby International 2010)
61 % of adult Americans said that they were extremely
concerned about the privacy of their personal information
when buying online
(University of Southern California 2007)
#IISF2011 9
10. Cont……..
Our research shows that 80% of our customer would
walk away if we mishandled their information
(Royal Bank of Canada 2003)
Concerns about the use of personal information led
64% of respondents to decide not to purchase from a
company
(Privacy and American 2005)
67% respondents decided not to register at a website
or shop online because they found privacy policy to be
too complicated or unclear
(Privacy and American 2005)
#IISF2011 10
11. Malaysian Consumers Say…..
75.3% respondents say that they were “somehow
concerned” and “very concerned” with their personal
privacy even when not online
94.2 % respondents felt that their personal privacy
might be threatened when using the Internet
50.8 % of non Internet Banking customers have not
migrated to the online services mainly due to security,
trust and privacy concerns
(Muniruddeen Lallmahamood 2007/2008)
#IISF2011 11
12. Therefore….
Trust and risk are major determinants
towards purchasing and of intention to
purchase
Trust is difficult to gain but easy to lose
Consumers are concern about their privacy
Consumers are very concern about privacy
when transact online
#IISF2011 12
13. GOOD PRIVACY, GOOD BUSINESS
“Privacy is good for
business”
Harriet Pearson
IBM Chief Privacy Officer
#IISF2011 13
14. How?
Potential Risks
Breaches of data protection law
Damage to organization’s reputation and brand
Physical, psychological and economic harm to
customers
Financial losses associated with deterioration in
quality and integrity of personal data due to
customers’ distrusts
Loss of market share or a drop in stock prizes
due to negative publicity/ failure or delay in the
implementation of new product / service due to
privacy concern
#IISF2011 14
15. Benefits
More positive organizational image and
significant edge over the competition
Business development via expansion into
jurisdiction requiring clear privacy standard
Enhanced data quality and integrity
Fostering better customer service and more
strategic business decision making
Enhanced customer trusts and loyalty
#IISF2011 15
18. International Instruments
OECD Guidelines 1980
Council of Europe Convention 1981
European Directive 1995
APEC Privacy Framework 2004
Madrid Resolution 2009
#IISF2011 18
20. Council of Europe Convention 1981
Personal Data shall be:
obtained fairly and lawfully
stored for specified and legitimate purposes and not
used in a way incompatible with those purposes
adequate, relevant and not excessive
accurate and, where necessary kept up to date
preserved in a form which permits identification of the
data subjects for no longer than is required for the
purpose for which those data are stored
#IISF2011 20
21. European Directive 1995
Personal data must be;
Processed fairly and lawfully
Collected for specified, explicit and legitimate purposes
and not further processed in a way incompatible with
those purposes
adequate, relevant and not excessive
accurate and, where necessary kept up to date
#IISF2011 21
22. APEC Privacy Framework 2004 (9 Principles)
Preventing harm
Notice
Collection Limitation
Uses of personal information
Choice
Integrity
Security safeguards
Access and correction
accountability
#IISF2011 22
23. Madrid Resolution 2009 (6 Principles)
Lawfulness and fairness
Purpose specification
Proportionality
Data quality
Openness
Accountability
#IISF2011 23
24. Innovative ideas on proactive measures to protect
personal data:
Procedures to prevent and detect breaches
Appointment of data protection or privacy officers
Training, education and awareness programmes
Audit
Adaptation of information systems and /or technologies
Implementation of privacy impact assessment prior to
implementing new systems or technologies
Adoption of codes of practice
Implementation of a response plan
The Madrid Resolution has received support from
Oracle, Walt Disney, Accenture, Microsoft, Google,
Intel, Procter & Gamble, General Electric, IBM and
Hewlett Packard #IISF2011 24
26. Comprehensive Legislation
All EU countries, including the 10 new
member states (Cyprus, Czech Republic,
Estonia, Hungary, Latvia, Lithuania, Malta,
Poland, Slovakia and Slovenia)
Japan, Korea, New Zealand, Australia, Hong
Kong, Macao, Taiwan, Philippines
Chile, Argentina, Brazil, Mexico
In Middle East, only Israel
#IISF2011 26
27. Legislation + Self-Regulatory
USA – Privacy Act 1974 + 12 federal
sectoral based legislation + State Laws
+ Safe Harbour
Self-Regulatory
Singapore - Does not work – To have a
data protection law by 2012
#IISF2011 27
28. Doing Nothing so far
Brunei
Vietnam
Laos
Cambodia
Many more
#IISF2011 28
30. Our Part of the World : What’s Happening ?
• Macao enacted her Personal Data Protection Act in 2006
• China has came out with several drafts of the law, and the latest in 2007
• India amended her Information Technology Act in December 2008. Some new provisions are added
to protect privacy and personal data. In April 2011, the third draft of the Privacy Bill was issued.
• Indonesia came out with an academic draft in 2009
• Thailand has developed a draft Bill in 2010
• Taiwan amended her old law and passed a more comprehensive Personal Data Protection Act in
April 2010
• Malaysia has passed the Personal Data Protection Act in June 2010
• Korea came out with a more comprehensive law in March 2011
• The Philippines Congress has came out with the draft Act
• Australia and Hong Kong are reviewing their Privacy Act and Privacy Ordinance respectively
• Singapore is currently developing a law and is expected to be ready by 2012. On 13 Sept 2011, a
Consultation Paper was released
• In April 2011, the EU Working Party decided that the New Zealand Privacy Act is adequate
#IISF2011 30
31. Korea Malaysia Taiwan
Data Protection Act Personal Data Personal Data
2011 Protection Act 2010 Protection Act 2010
• Data Protection • Data Protection • Data Protection
Principles Principles Principles
• Rights of Data Subjects • Rights of Data • Rights of Data
• Organization to Subjects Subjects
designate someone to
take charge • Special entity to • Mandatory data
• Special entity to enforce enforce the Act (Data Breach Notification
the Act (Data Protection Protection (to the Data Subject)
Commission/DPC) Commissioner) • Enforcement by
• Mandatory reporting of • No mandatory data Ministries responsible
significant breach to DPC breach notification. for each industry
• Data breach notification • Differentiate personal sector
(to the Data Subject) data & sensitive data.
• Mediation to resolve • Does not apply to
dispute.
Federal and States
• Differentiate personal Goverments
data & sensitive data
• PIAs are encouraged
#IISF2011 31
32. Malaysian PDPA : An Overview
Federal &
States
Govts
Credit Non-
Reference Commercial
Agencies Transactions
Non-
Application
Data Personal,
Processed Family,
Outside Household
Malaysia Affairs
#IISF2011 32
33. General
Principle
Notice and
Access
Choice
Principle
Principle
DATA
PROTECTION
Data PRINCIPLES
Disclosure
Integrity
Principle
Principle
Retention Security
Principle Principle
#IISF2011 33
34. Exemptions
• Crime Prevention/Detection
• Offenders Apprehension/Prosecution
• Tax/Duty Assessment/Collection
Partial • Physical/Mental Health
• Statistics/Research
• Court Order/Judgment
• Regulatory Functions
• Journalistic/Literary/Artistic
• Personal
• Family
Total • Household
• Recreational
#IISF2011 34
35. Right to be
Informed
Right to
Prevent
Processing for Right to
Direct Access
Marketing
Purposes
RIGHTS
OF DATA
SUBJECTS
Right to
Prevent
Right to
Processing
Correct
Likely to
Cause Distress
Right to
Withdraw
Consent
#IISF2011 35
36. No. Section Offences Penalty
1 Fine <RM500,000.00/
S. 16(4) Processing without a certificate of registration
Imprisonment < 3 years/ Both
2 Fine <RM500,000.00/
S 18(5) Processing after registration is revoked
Imprisonment < 3 years/Both
3 Fine <RM500,000.00/
S.5 Contravening Data Protection Principles
Imprisonment < 2 years/Both
4 Fine <RM100,000.00/
S. 29 Non-Compliance with Code of Practice
Imprisonment < 1 year/Both
5 Failure to Inform the Refusal to Comply with the Data Fine <RM100,000.00/
S. 37(4)
Correction Request Imprisonment < 1 year/Both
6 Fine <RM100,000.00/
S. 38(4) Processing after consent been withdrawn
Imprisonment < 1 year/Both
7 Fine <RM200,000.00/
S.40(3) Processing of Sensitive Data
Imprisonment < 2 years/Both
8. Failure to Comply with the Commissioner’s
Fine <RM200,000.00/
S.42(6) Requirement
Imprisonment < 2 years/Both
(Processing likely to cause damage or distress)
9 Failure to Comply with the Commissioner’s
Fine <RM200,000.00/
S. 43(4) Requirement
Imprisonment < 2 years/Both
(Direct Marketing)
10. Transfer of Data to Places Outside Malaysia without Fine <RM300,000.00/
S. 129(5)
any law or adequate protection Imprisonment < 2 years/Both
11 Collects, disclose or procure to disclose data without Fine <RM500,000.00/
S. 130(3)
consent of Data User Imprisonment < 3 years/Both
12 Fine <RM500,000.00/
S. 130(4) and (5) Selling or offer to sell
Imprisonment < 3 years/Both
13 #IISF2011 36
Half of the maximum term provided for
S. 131(1) and (2) Abetment and Attempt to commit any of the offences
that offence
37. Enforcement Mechanisms
Data Protection Commissioner
Advisory Committee
Appeal Tribunal
Codes of Practice
Enforcement Notice
Prosecution
Revocation of Registration
#IISF2011 37
39. My other books on ICT Law
In Print
Cyber Law: Privacy and Internet Banking: Information &
Policies and Data Protection Law and Practice Communication
Challenges Sweet & Maxwell LexisNexis UK Technology Law
Butterworths Asia (2002) (2004) Legal & Regulatory
(1999) Challenges
Thomson Reuters
(2010)
#IISF2011 39